#include <PeerConnector.h>

Inheritance diagram for Security::PeerConnector:
Collaboration diagram for Security::PeerConnector:

Classes

class  CbDialer
 Callback dialer API to allow PeerConnector to set the answer. More...
 

Public Types

typedef CbcPointer< PeerConnectorPointer
 

Public Member Functions

 PeerConnector (const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout=0)
 
virtual ~PeerConnector ()
 
bool canBeCalled (AsyncCall &call) const
 whether we can be called More...
 
void callStart (AsyncCall &call)
 
virtual void callEnd ()
 called right after the called job method More...
 
virtual void callException (const std::exception &e)
 called when the job throws during an async call More...
 
virtual void * toCbdata ()=0
 

Static Public Member Functions

static Pointer Start (AsyncJob *job)
 starts a freshly created job (i.e., makes the job asynchronous) More...
 

Protected Member Functions

virtual void start ()
 Preps connection and SSL state. Calls negotiate(). More...
 
virtual bool doneAll () const
 whether positive goal has been reached More...
 
virtual void swanSong ()
 
virtual const char * status () const
 internal cleanup; do not call directly More...
 
void commCloseHandler (const CommCloseCbParams &params)
 The comm_close callback handler. More...
 
void connectionClosed (const char *reason)
 Inform us that the connection is closed. Does the required clean-up. More...
 
bool prepareSocket ()
 
virtual bool initialize (Security::SessionPointer &)
 
void negotiate ()
 
bool sslFinalized ()
 
void handleNegotiateError (const int result)
 
void noteWantRead ()
 
bool checkForMissingCertificates ()
 
void startCertDownloading (SBuf &url)
 Start downloading procedure for the given URL. More...
 
void certDownloadingDone (SBuf &object, int status)
 Called by Downloader after a certificate object downloaded. More...
 
virtual void noteWantWrite ()
 
virtual void noteNegotiationError (const int result, const int ssl_error, const int ssl_lib_error)
 
virtual void noteNegotiationDone (ErrorState *error)
 
virtual Security::ContextPointer getTlsContext ()=0
 
Comm::ConnectionPointer const & serverConnection () const
 mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl More...
 
void bail (ErrorState *error)
 Return an error to the PeerConnector caller. More...
 
void callBack ()
 
void bypassCertValidator ()
 If called the certificates validator will not used. More...
 
void recordNegotiationDetails ()
 
void deleteThis (const char *aReason)
 
void mustStop (const char *aReason)
 
bool done () const
 the job is destroyed in callEnd() when done() More...
 

Protected Attributes

HttpRequestPointer request
 peer connection trigger or cause More...
 
Comm::ConnectionPointer serverConn
 TCP connection to the peer. More...
 
AccessLogEntryPointer al
 info for the future access.log entry More...
 
AsyncCall::Pointer callback
 we call this with the results More...
 
const char * stopReason
 reason for forcing done() to be true More...
 
const char * typeName
 kid (leaf) class name, for debugging More...
 
AsyncCall::Pointer inCall
 the asynchronous call being handled, if any More...
 
const InstanceId< AsyncJobid
 job identifier More...
 

Private Member Functions

 CBDATA_CLASS (PeerConnector)
 
 PeerConnector (const PeerConnector &)
 
PeerConnectoroperator= (const PeerConnector &)
 
void sslCrtvdHandleReply (Ssl::CertValidationResponsePointer)
 Process response from cert validator helper. More...
 
Security::CertErrorssslCrtvdCheckForErrors (Ssl::CertValidationResponse const &, Ssl::ErrorDetail *&)
 Check SSL errors returned from cert validator against sslproxy_cert_error access list. More...
 
void negotiateSsl ()
 Comm::SetSelect() callback. Direct calls tickle/resume negotiations. More...
 

Static Private Member Functions

static void NegotiateSsl (int fd, void *data)
 A wrapper for Comm::SetSelect() notifications. More...
 

Private Attributes

AsyncCall::Pointer closeHandler
 we call this when the connection closed More...
 
time_t negotiationTimeout
 the SSL connection timeout to use More...
 
time_t startTime
 when the peer connector negotiation started More...
 
bool useCertValidator_
 
std::queue< SBufurlsOfMissingCerts
 The list of URLs where missing certificates should be downloaded. More...
 
unsigned int certsDownloads
 the number of downloaded missing certificates More...
 

Static Private Attributes

static const unsigned int MaxCertsDownloads = 10
 The maximum allowed missing certificates downloads. More...
 
static const unsigned int MaxNestedDownloads = 3
 The maximum allowed nested certificates downloads. More...
 

Detailed Description

Initiates encryption on a connection to peers or servers. Despite its name does not perform any connect(2) operations.

Contains common code and interfaces of various specialized PeerConnector's, including peer certificate validation code.

The caller receives a call back with Security::EncryptorAnswer. If answer.error is not nil, then there was an error and the encryption to the peer or server was not fully established. The error object is suitable for error response generation.
The caller must monitor the connection for closure because this job will not inform the caller about such events.
PeerConnector class currently supports a form of TLS negotiation timeout, which is accounted only when sets the read timeout from encrypted peers/servers. For a complete solution, the caller must monitor the overall connection establishment timeout and close the connection on timeouts. This is probably better than having dedicated (or none at all!) timeouts for peer selection, DNS lookup, TCP handshake, SSL handshake, etc. Some steps may have their own timeout, but not all steps should be forced to have theirs. XXX: tunnel.cc and probably other subsystems do not have an "overall connection establishment" timeout. We need to change their code so that they start monitoring earlier and close on timeouts. This change may need to be discussed on squid-dev.
This job never closes the connection, even on errors. If a 3rd-party closes the connection, this job simply quits without informing the caller.

Definition at line 63 of file PeerConnector.h.

Member Typedef Documentation

◆ Pointer

Constructor & Destructor Documentation

◆ PeerConnector() [1/2]

Security::PeerConnector::PeerConnector ( const Comm::ConnectionPointer aServerConn,
AsyncCall::Pointer aCallback,
const AccessLogEntryPointer alp,
const time_t  timeout = 0 
)

Definition at line 32 of file PeerConnector.cc.

References callback, debugs, AsyncCall::getDialer(), and Must.

Referenced by Security::PeerConnector::CbDialer::~CbDialer().

◆ ~PeerConnector()

Security::PeerConnector::~PeerConnector ( )
virtual

Definition at line 47 of file PeerConnector.cc.

References debugs.

Referenced by Security::PeerConnector::CbDialer::~CbDialer().

◆ PeerConnector() [2/2]

Security::PeerConnector::PeerConnector ( const PeerConnector )
private

Member Function Documentation

◆ bail()

◆ bypassCertValidator()

void Security::PeerConnector::bypassCertValidator ( )
inlineprotected

◆ callBack()

void Security::PeerConnector::callBack ( )
protected

◆ callEnd()

void AsyncJob::callEnd ( )
virtualinherited

◆ callException()

◆ callStart()

void AsyncJob::callStart ( AsyncCall call)
inherited

◆ canBeCalled()

bool AsyncJob::canBeCalled ( AsyncCall call) const
inherited

Definition at line 101 of file AsyncJob.cc.

References AsyncCall::cancel(), debugs, HERE(), AsyncJob::inCall, and NULL.

Referenced by AsyncJob::swanSong().

◆ CBDATA_CLASS()

Security::PeerConnector::CBDATA_CLASS ( PeerConnector  )
private

◆ certDownloadingDone()

◆ checkForMissingCertificates()

bool Security::PeerConnector::checkForMissingCertificates ( )
protected

Run the certificates list sent by the SSL server and check if there are missing certificates. Adds to the urlOfMissingCerts list the URLS of missing certificates if this information provided by the issued certificates with Authority Info Access extension.

Definition at line 683 of file PeerConnector.cc.

References BIO_get_data(), debugs, HttpRequest::downloader, Comm::Connection::fd, fd_table, CbcPointer< Cbc >::get(), getTlsContext(), MaxNestedDownloads, Ssl::missingChainCertificatesUrls(), Downloader::nestedLevel(), request, Ssl::ServerBio::serverCertificatesIfAny(), serverConnection(), startCertDownloading(), and urlsOfMissingCerts.

Referenced by noteWantRead(), and Security::PeerConnector::CbDialer::~CbDialer().

◆ commCloseHandler()

void Security::PeerConnector::commCloseHandler ( const CommCloseCbParams params)
protected

◆ connectionClosed()

void Security::PeerConnector::connectionClosed ( const char *  reason)
protected

◆ deleteThis()

void AsyncJob::deleteThis ( const char *  aReason)
protectedinherited

◆ done()

◆ doneAll()

bool Security::PeerConnector::doneAll ( ) const
protectedvirtual

Reimplemented from AsyncJob.

Definition at line 52 of file PeerConnector.cc.

References callback, AsyncCall::canceled(), and AsyncJob::doneAll().

Referenced by Security::PeerConnector::CbDialer::~CbDialer().

◆ getTlsContext()

virtual Security::ContextPointer Security::PeerConnector::getTlsContext ( )
protectedpure virtual

Must implemented by the kid classes to return the TLS context object to use for building the encryption context objects.

Implemented in Ssl::IcapPeerConnector, Security::BlindPeerConnector, and Ssl::PeekingPeerConnector.

Referenced by certDownloadingDone(), checkForMissingCertificates(), initialize(), and noteNegotiationDone().

◆ handleNegotiateError()

void Security::PeerConnector::handleNegotiateError ( const int  result)
protected

Called when the negotiation step aborted because data needs to be transferred to/from server or on error. In the first case setups the appropriate Comm::SetSelect handler. In second case fill an error and report to the PeerConnector caller.

Definition at line 382 of file PeerConnector.cc.

References DBG_IMPORTANT, debugs, Comm::Connection::fd, fd_table, Must, noteNegotiationError(), noteWantRead(), noteWantWrite(), recordNegotiationDetails(), and serverConnection().

Referenced by negotiate(), and Security::PeerConnector::CbDialer::~CbDialer().

◆ initialize()

◆ mustStop()

void AsyncJob::mustStop ( const char *  aReason)
protectedinherited

Definition at line 69 of file AsyncJob.cc.

References debugs, AsyncJob::inCall, Must, NULL, AsyncJob::stopReason, and AsyncJob::typeName.

Referenced by HttpStateData::abortAll(), Ftp::Client::abortAll(), Comm::TcpAcceptor::acceptOne(), Adaptation::Ecap::XactionRep::adaptationAborted(), Adaptation::AccessCheck::callBack(), AsyncJob::callException(), connectionClosed(), HttpStateData::continueAfterParsingHeader(), Ftp::Client::ctrlClosed(), Adaptation::Iterator::handleAdaptationBlock(), Adaptation::Iterator::handleAdaptationError(), Log::TcpLogger::handleClosure(), Adaptation::Icap::Xaction::handleCommClosed(), Http::Tunneler::handleConnectionClosure(), Mgr::Forwarder::handleError(), Ipc::Forwarder::handleError(), Ipc::Forwarder::handleException(), Ipc::Inquirer::handleException(), HttpStateData::handleMoreRequestBodyAvailable(), Ipc::Inquirer::handleRemoteAck(), Ipc::Forwarder::handleTimeout(), HttpStateData::httpStateConnClosed(), HttpStateData::httpTimeout(), Comm::ConnOpener::noteAbort(), Adaptation::Icap::ModXact::noteBodyConsumerAborted(), Snmp::Forwarder::noteCommClosed(), Snmp::Inquirer::noteCommClosed(), Mgr::Inquirer::noteCommClosed(), Mgr::Forwarder::noteCommClosed(), Mgr::StoreToCommWriter::noteCommClosed(), Adaptation::Icap::Xaction::noteCommRead(), Rock::HeaderUpdater::noteDoneReading(), Adaptation::Iterator::noteInitiatorAborted(), Adaptation::Icap::Xaction::noteInitiatorAborted(), Adaptation::Ecap::XactionRep::noteInitiatorAborted(), HttpStateData::readReply(), Comm::ConnOpener::sendAnswer(), Rock::Rebuild::start(), start(), HttpStateData::start(), Ipc::UdsSender::timedout(), and HttpStateData::wroteLast().

◆ negotiate()

void Security::PeerConnector::negotiate ( )
protected

Performs a single secure connection negotiation step. It is called multiple times untill the negotiation finishes or aborts.

Definition at line 164 of file PeerConnector.cc.

References callBack(), debugs, Comm::Connection::fd, fd_table, handleNegotiateError(), Comm::IsConnOpen(), recordNegotiationDetails(), serverConnection(), and sslFinalized().

Referenced by negotiateSsl(), start(), and Security::PeerConnector::CbDialer::~CbDialer().

◆ NegotiateSsl()

void Security::PeerConnector::NegotiateSsl ( int  fd,
void *  data 
)
staticprivate

Definition at line 365 of file PeerConnector.cc.

References data.

Referenced by noteWantRead(), and noteWantWrite().

◆ negotiateSsl()

void Security::PeerConnector::negotiateSsl ( )
private

Definition at line 375 of file PeerConnector.cc.

References CallJobHere, and negotiate().

Referenced by certDownloadingDone(), and noteWantRead().

◆ noteNegotiationDone()

virtual void Security::PeerConnector::noteNegotiationDone ( ErrorState error)
inlineprotectedvirtual

Called when the SSL negotiation to the server completed and the certificates validated using the cert validator.

Parameters
errorif not NULL the SSL negotiation was aborted with an error

Reimplemented in Ssl::IcapPeerConnector, Security::BlindPeerConnector, and Ssl::PeekingPeerConnector.

Definition at line 154 of file PeerConnector.h.

References getTlsContext().

Referenced by initialize(), noteNegotiationError(), sslCrtvdHandleReply(), and sslFinalized().

◆ noteNegotiationError()

void Security::PeerConnector::noteNegotiationError ( const int  result,
const int  ssl_error,
const int  ssl_lib_error 
)
protectedvirtual

Called when the SSL_connect function aborts with an SSL negotiation error

Parameters
resultthe SSL_connect return code
ssl_errorthe error code returned from the SSL_get_error function
ssl_lib_errorthe error returned from the ERR_Get_Error function

Reimplemented in Ssl::PeekingPeerConnector.

Definition at line 491 of file PeerConnector.cc.

References al, bail(), DBG_IMPORTANT, debugs, ERR_SECURE_CONNECT_FAIL, Security::ErrorString(), Comm::Connection::fd, fd_table, ErrorState::NewForwarding(), noteNegotiationDone(), NULL, request, serverConnection(), SQUID_ERR_SSL_HANDSHAKE, and ssl_ex_index_ssl_error_detail.

Referenced by handleNegotiateError(), Ssl::PeekingPeerConnector::noteNegotiationError(), and Security::PeerConnector::CbDialer::~CbDialer().

◆ noteWantRead()

void Security::PeerConnector::noteWantRead ( )
protected

Called when the openSSL SSL_connect fnction request more data from the remote SSL server. Sets the read timeout and sets the Squid COMM_SELECT_READ handler.

Definition at line 446 of file PeerConnector.cc.

References BIO_get_data(), checkForMissingCertificates(), COMM_SELECT_READ, commSetConnTimeout(), DBG_IMPORTANT, debugs, Comm::Connection::fd, fd_table, Ssl::ServerBio::holdRead(), Comm::MortalReadTimeout(), NegotiateSsl(), negotiateSsl(), negotiationTimeout, Store::nil, serverConnection(), Comm::SetSelect(), and startTime.

Referenced by handleNegotiateError(), and Security::PeerConnector::CbDialer::~CbDialer().

◆ noteWantWrite()

void Security::PeerConnector::noteWantWrite ( )
protectedvirtual

Called when the openSSL SSL_connect function needs to write data to the remote SSL server. Sets the Squid COMM_SELECT_WRITE handler.

Reimplemented in Ssl::PeekingPeerConnector.

Definition at line 482 of file PeerConnector.cc.

References COMM_SELECT_WRITE, debugs, Comm::Connection::fd, NegotiateSsl(), serverConnection(), and Comm::SetSelect().

Referenced by Ssl::PeekingPeerConnector::checkForPeekAndSpliceMatched(), handleNegotiateError(), Ssl::PeekingPeerConnector::noteWantWrite(), and Security::PeerConnector::CbDialer::~CbDialer().

◆ operator=()

PeerConnector& Security::PeerConnector::operator= ( const PeerConnector )
private

◆ prepareSocket()

bool Security::PeerConnector::prepareSocket ( )
protected

Sets up TCP socket-related notification callbacks if things go wrong. If socket already closed return false, else install the comm_close handler to monitor the socket.

Definition at line 87 of file PeerConnector.cc.

References closeHandler, comm_add_close_handler(), commCloseHandler(), connectionClosed(), debugs, fd_table, Comm::IsConnOpen(), JobCallback, and serverConnection().

Referenced by start(), and Security::PeerConnector::CbDialer::~CbDialer().

◆ recordNegotiationDetails()

void Security::PeerConnector::recordNegotiationDetails ( )
protected

◆ serverConnection()

◆ sslCrtvdCheckForErrors()

Security::CertErrors * Security::PeerConnector::sslCrtvdCheckForErrors ( Ssl::CertValidationResponse const &  resp,
Ssl::ErrorDetail *&  errDetails 
)
private

Checks errors in the cert. validator response against sslproxy_cert_error. The first honored error, if any, is returned via errDetails parameter. The method returns all seen errors except SSL_ERROR_NONE as Security::CertErrors.

Definition at line 309 of file PeerConnector.cc.

References acl_access, ACLFilledChecklist::al, al, allow_t::allowed(), assert, SquidConfig::cert_error, Config, dash_str, debugs, Ssl::CertValidationResponse::errors, ACLChecklist::fastCheck(), fd_table, Security::LockingPointer< T, UnLocker, Locker >::get(), RefCount< C >::getRaw(), i, NULL, CbDataList< C >::push_back_unique(), request, serverConnection(), SquidConfig::ssl_client, ACLFilledChecklist::sslErrors, and ACLFilledChecklist::syncAle().

Referenced by sslCrtvdHandleReply().

◆ sslCrtvdHandleReply()

◆ sslFinalized()

◆ Start()

◆ start()

void Security::PeerConnector::start ( )
protectedvirtual

◆ startCertDownloading()

◆ status()

const char * Security::PeerConnector::status ( ) const
protectedvirtual

◆ swanSong()

void Security::PeerConnector::swanSong ( )
protectedvirtual

◆ toCbdata()

virtual void* CbdataParent::toCbdata ( )
pure virtualinherited

Member Data Documentation

◆ al

◆ callback

AsyncCall::Pointer Security::PeerConnector::callback
protected

◆ certsDownloads

unsigned int Security::PeerConnector::certsDownloads
private

Definition at line 206 of file PeerConnector.h.

Referenced by certDownloadingDone().

◆ closeHandler

AsyncCall::Pointer Security::PeerConnector::closeHandler
private

Definition at line 200 of file PeerConnector.h.

Referenced by callBack(), and prepareSocket().

◆ id

const InstanceId<AsyncJob> AsyncJob::id
protectedinherited

Definition at line 72 of file AsyncJob.h.

◆ inCall

◆ MaxCertsDownloads

const unsigned int Security::PeerConnector::MaxCertsDownloads = 10
staticprivate

Definition at line 196 of file PeerConnector.h.

Referenced by certDownloadingDone().

◆ MaxNestedDownloads

const unsigned int Security::PeerConnector::MaxNestedDownloads = 3
staticprivate

Definition at line 198 of file PeerConnector.h.

Referenced by checkForMissingCertificates().

◆ negotiationTimeout

time_t Security::PeerConnector::negotiationTimeout
private

Definition at line 201 of file PeerConnector.h.

Referenced by noteWantRead().

◆ request

◆ serverConn

◆ startTime

time_t Security::PeerConnector::startTime
private

Definition at line 202 of file PeerConnector.h.

Referenced by noteWantRead().

◆ stopReason

const char* AsyncJob::stopReason
protectedinherited

◆ typeName

◆ urlsOfMissingCerts

std::queue<SBuf> Security::PeerConnector::urlsOfMissingCerts
private

Definition at line 205 of file PeerConnector.h.

Referenced by certDownloadingDone(), and checkForMissingCertificates().

◆ useCertValidator_

bool Security::PeerConnector::useCertValidator_
private

whether the certificate validator should bypassed

Definition at line 203 of file PeerConnector.h.

Referenced by bypassCertValidator(), and sslFinalized().


The documentation for this class was generated from the following files:

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors